Open Source

Everyone loves open source, and for good reason. We want to help you use open source and stay secure. Read more to learn how this is achievable!

npm passes the 1 millionth package milestone! What can we learn?

June 4th is a historic date. Not only is it our very own Liran Tal’s birthday (Mazal Tov, Liran!) but it is also the date that the millionth package was indexed into the npm registry. npm is a package manager for JavaScript packages. The core component of npm is its public registry, hosting JavaScript packages […]

June 4, 2019

CRLF injection found in popular Python dependency, urllib3

On April 18, 2019 a CRLF injection vulnerability was found in the popular Python library, urllib3. The urllib3 library is an HTTP client for Python that includes valuable features such as thread safety, connection pooling, client-side SSL/TLS verification, and more. It is used widely in the Python ecosystem, including within requests, another popular library. In […]

May 15, 2019

JVM Ecosystem Survey 2019

We’re excited to launch the new JVM Ecosystem Survey 2019. The goal of this survey is to understand the lay of the land across the entire JVM ecosystem and Java in particular. Once we get all of your wonderful responses we’re going to turn them into a beautiful report that you can read, printout, turn […]

May 14, 2019

190,000 users affected by Docker Hub’s security breach. Now what?

Docker Hub may have reset your account details if it detected that it was part of the breach. What could potentially happen? What should I do to protect my code?

April 29, 2019

How much do we really know about how packages behave on the npm registry?

How many packages on npm can be considered abandoned? How many packages are connected to each other? Let's explore npm - today’s biggest open source package registry!

April 22, 2019

Shifting Docker security left

As more organizations create, spread and use Docker containers, the risk of security vulnerabilities grows. Docker images are largely built on top of other images, meaning a vulnerability in one image is also present in all the images that utilize it. The wide adoption of Docker comes at a price — a single vulnerability can be widely spread and have major impact.

April 17, 2019

The top two most popular Docker base images each have over 500 vulnerabilities

Welcome to the Docker security report “Shifting Docker security left”. This report is split into several posts: Shifting Docker security left The top two most popular Docker base images each have over 500 vulnerabilities 80% of developers are not addressing Docker security Take actions to improve security in your Docker images Or download our lovely […]

April 17, 2019

80% of developers are not addressing Docker security

Welcome to the Docker security report: Shifting Docker security left. This report is split into several posts: Shifting Docker security left The top two most popular Docker base images each have over 500 vulnerabilities 80% of developers are not addressing Docker security Take actions to improve security in your Docker images Or download our lovely […]

April 17, 2019

Take actions to improve security in your Docker images

Welcome to the Docker security report: Shifting Docker security left.This report is split into several posts: Shifting Docker security left The top two most popular Docker base images each have over 500 vulnerabilities 80% of developers are not addressing Docker security Take actions to improve security in your Docker images Or download our lovely handcrafted […]

April 17, 2019

After three years of silence, a new jQuery prototype pollution vulnerability emerges once again

On March 26th, 2019, almost three years after the last jQuery security vulnerability was disclosed, we recently learned about a new security vulnerability affecting the same popular jQuery frontend library. This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype. When that happens, properties that are […]

April 15, 2019

Cheat sheet: 10 Bitbucket security best practices

In this cheat sheet we’ll cover how you can be more secure as a Bitbucket user or contributor. Some of it is specific to Bitbucket, but a lot of it is also useful for other Git and non-Git repositories as well. DOWNLOAD THE CHEAT SHEET! So let’s get started with our list of 10 Bitbucket […]

April 8, 2019